security

You know it could happen some day: you might lose your iPhone, iPad or laptop. If you’ve activated Find My iPhone (or the similarly named feature for other devices), you’ll get an approximate location for the device, but if it’s in an apartment building or office building, or if there’s no Wi-Fi or cellular access, you might not be able to track it down precisely.

If someone finds your device, it would be good to make it easy for them to get in touch and return the device to you. There are plenty of Good Samaritans out there, and it’s worth preparing your device so if one does find it, they can contact you.

Essentially, you want to add contact information to your device, in a way that anyone who turns it on can find your name, email address and phone number (obviously not your iPhone’s number), and get in touch. An easy way would be to paste a sticker on your device, but that might be ugly and it could wear out. Why not add contact information to the lock screens of your Macs and iOS devices? It’s easy.

On the most recent episode of The Committed Podcast, we were discussing security and iPhones, and one of my co-hosts, Ian Schray, mentioned not using a four-digit passcode, that it’s too insecure to use such a simple passcode. I realized after the recording that a lot of people may not know how to set up a longer passcode. Hence, this how-to.

First, why would you want to use a long passcode? If you have a device that offers Touch ID, you’ll use your fingerprint most of the time, and only need to type a passcode when you restart the device, or when Touch ID doesn’t work. The latter only happens when my hands are sweaty; Touch ID has always been very reliable for me, though I know many people who have problems with it.

Your four-digit passcode isn’t very strong, and someone could try a bunch of combinations, unless you have activated a setting (in Settings > Passcode Lock) to erase the device after ten failed passcode attempts. So you might want something more robust.

To set a long passcode, open the Settings app, tap Touch ID & Passcode, and then enter your passcode. Scroll down to where you see a toggle for Simple Passcode, and turn this off.

Enter your passcode to approve this change, then you’ll see a screen allowing you to enter a passcode. Unlike the standard screen, which only displays numbers, this one shows a full keyboard, and you can choose a passcode with letters, numbers, and even symbols and punctuation.

Type the new passcode, and then tap Next; type it again to confirm, and you’ll have a long passcode. Now, whenever you access your device with a passcode, you won’t be limited to just a number pad; you’ll have a full keyboard, and can enter your passcode.

You can still use Touch ID, but whenever you do need to enter a passcode, it will be more secure.

His account was locked for “security reasons;” in other words, someone tried to get into his account, and presumably made too many login attempts, and the account was automatically locked. No problem; just use the recovery key that he got when setting up two-step authentication… But, as Williams says, “How could I be foolish enough to misplace my Apple ID recovery key?”

And there’s the big problem with the way Apple implements two-step authentication.

Two-step authentication combines the need for a password and a code that is sent to you on a device you own. So, when logging into your account from a new device (you don’t do this every time you log in), you’ll get an SMS sent to your phone with a code. You need to have more than one device, in case you lose one of them. For example, if you lose your phone, you need to be able to log in on a computer, and add a new phone as a trusted device. (Hmmm, what does happen if you lose both your computer and phone…?)

In Apple’s case, there is a recovery key, which you can use if you no longer have any trusted devices; this code is also needed if your account gets locked for any reason.

So the real problem is ensuring that you save the recovery key. Apple recommends that you print it out, and keep it in “a safe place,” and that you do not save it on your computer. (Though saving it in an app such as 1Password would be fine.) If you do this, you’ll have no problems. But if you don’t, then you could get locked out of your account; Apple makes this very clear.

So, Apple’s two-step authentication is dangerous, but if you follow the instructions to the letter, you won’t have anything to worry about. As far as I’m concerned, I’ve never set it up, because while the risk of losing access to the account is minimal, it exists. If my house were to burn down, and I lost both physical and digital access to the recovery key, then I’d lose access to a lot of my stuff. If you use this two-step authentication, make sure to have a copy of that key somewhere safe, and make sure to remember, say ten years from now, where you put it, in case you need it then.

As of today, one of them is live: if you sign into iCloud on the web, you’ll get an email:

This is interesting, but is it useful? First, if you get one of these every time you sign into iCloud on the web, it’ll just be a bother. Sure, if you didn’t sign into iCloud, you can reset your password, but too much security hampers usability. People will, over time, get tired of these messages and just delete them.

And, what if I just accessed iCloud around the same time someone broke into my account? Will I get two emails? Or will I just assume that the email I get is for my access?

In any case, by the time you get the email, it might be too late.

As my friend and editor Michael Cohen pointed out:

“Of course, if someone DID sign into your iCloud account via a Web browser, that person would see the email, too and could reset your password, locking you out! Unless you use 2-factor authentication; then it might be harder to do the last.”

You’ve seen it on the internet, even on TV news shows: a number of A-list celebrities had nude selfies swiped from their phones, or their iCloud accounts. Initial thoughts pointed to iCloud, since an exploit was released a couple of days before the photos leaked which targeted Find My iPhone, part of iCloud. This exploit found that Find My iPhone wasn’t rate limited; that it didn’t block users after a certain number of failed password attempts. So the exploit used a list of the 500 most commonly used passwords, and tried them against any Apple ID. If your password was weak, well, you’d get owned. Apple patched iCloud to fix this issue two days later.

But Apple came out with a public statement, saying, “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

So, who to believe? Some stars jumped the gun, relying on sketchy media reports suggesting that Apple was to blame, and cast aspersion – well, pizza turd – on the company:

But evidence suggests that if iCloud was to blame for some of these breaches, it was not the case for all of them. Some of the stars claim the photos are fakes, while others point out that they don’t use iPhones. According to Apple, their iCloud security questions – the ones you answer to reset a forgotten password – were too easy to figure out. (Though I haven’t seen any suggestions that any of these stars found themselves locked out of their accounts, which would have happened if their passwords were reset.)

There’s lots of speculation, and one of the more interesting theories comes from Boris Gorin of FireLayers. As PC World reports, Gorin said, “The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan–making it reasonable to believe they were not part of a single hack, but of several compromises that occurred over time.”

The PC World article goes on to say:

“Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards. If they accessed their personal iCloud accounts, attackers connected to that network would have been able to intercept and capture the username and password credentials. That’s not a security flaw with iCloud and having a strong or complex password wouldn’t offer protection against transmitting that password in clear text on a public Wi-Fi network.”

So we’re stuck in a he-said-she-said loop. In this corner, Apple is saying that these people were targeted by password-reset hacks, which depended on weak security questions. Yet none of the celebrities have said that they found anything amiss when trying to log into anything with their phones or computers. (Of course, they may not want to admit that.) And in that corner, security researchers are looking at old-school man-in-the-middle hacks on public wifi networks.

What seems likely is that, as Gorin says, these were images that were slowly leaked, and that one person decided to dump all at once, to suggest that they all come from the same exploit or hack. And if so, why? Should one speculate that there is a link between this photo dump and Apple’s new product event next week? That, perhaps, a competitor contracted with some black-hat hackers to try and get Apple to have some egg on their face; or some pizza turd?

Put your tinfoil hat on, dear reader. We will probably never know the answer to this one.

One suggestion to the celebrities reading this article (there might be one or two): you have people who tell you what to say and what to wear; find someone to tell you how to keep your personal data secure. It’s not that complicated.

Update: We now know much more about this breach. There was no one single incident grabbing all the photos, a number of techniques were used, from simple figuring out the answers to security questions to forensic software, which anyone can buy for $400 (or simply torrent). Part of the fault is Apple’s, for those accounts that were accessed using the brute-force script, but not all of the accounts whose photos have been leaked were accessed in that manner.